From 3ab02db5f836ae0cf9fe7fba616d7eb52139d537 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 23 Jul 2019 15:03:23 +0200 Subject: cache: add NFT_CACHE_UPDATE and NFT_CACHE_FLUSHED flags NFT_CACHE_FLUSHED tells cache_update() to skip the netlink dump to populate the cache, since the existing ruleset is going to flushed by this batch. NFT_CACHE_UPDATE tells rule_evaluate() to perform incremental updates to the cache based on the existing batch, this is required by the rule commands that use the index and the position selectors. This patch removes cache_flush() which is not required anymore. This cache removal is coming too late, in the evaluation phase, after the initial cache_update() invocation. Be careful with NFT_CACHE_UPDATE, this flag needs to be left in place if NFT_CACHE_FLUSHED is set on. Signed-off-by: Pablo Neira Ayuso --- src/evaluate.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) (limited to 'src/evaluate.c') diff --git a/src/evaluate.c b/src/evaluate.c index e7f16ba6..48c65cd2 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -3394,11 +3394,10 @@ static int rule_evaluate(struct eval_ctx *ctx, struct rule *rule, return -1; } - /* add rules to cache only if it is complete enough to contain them */ - if (!cache_is_complete(&ctx->nft->cache, NFT_CACHE_RULE)) - return 0; + if (cache_needs_update(&ctx->nft->cache)) + return rule_cache_update(ctx, op); - return rule_cache_update(ctx, op); + return 0; } static uint32_t str2hooknum(uint32_t family, const char *hook) @@ -3824,7 +3823,6 @@ static int cmd_evaluate_flush(struct eval_ctx *ctx, struct cmd *cmd) switch (cmd->obj) { case CMD_OBJ_RULESET: - cache_flush(ctx->nft, ctx->msgs); break; case CMD_OBJ_TABLE: /* Flushing a table does not empty the sets in the table nor remove -- cgit v1.2.3